Anti-DDoS Proxy protects your services from large-scale distributed denial-of-service (DDoS) attacks by routing all incoming traffic through globally distributed scrubbing centers. The scrubbing centers filter out attack traffic and forward only legitimate requests to your origin server, keeping your services available even during active attacks.
How it works
Anti-DDoS Proxy cleans traffic in three stages:
Traffic redirection — All incoming Internet traffic is redirected to an Anti-DDoS scrubbing center, either by updating your DNS record or by pointing your service IP address to the Anti-DDoS instance IP address.
Traffic scrubbing — The scrubbing center applies multilayer detection and filtering to block Layer 3 and Layer 4 volumetric attacks (SYN floods and UDP floods) and Layer 7 application-layer attacks (HTTP floods). Malicious traffic is identified and dropped.
Clean traffic forwarding — Scrubbed traffic is securely and reliably forwarded back to your origin server through port and protocol forwarding.
Traffic redirection methods
Direct your service traffic to the Anti-DDoS instance using one of the following methods.
| Redirection method | Description | Use cases | Pros | Cons |
|---|---|---|---|---|
| DNS resolution | Change the DNS record of your domain name (for example, www.example.com) to the CNAME address provided by Anti-DDoS Proxy. | Domain-based services: websites, web applications, and APIs. | Simple to configure and takes effect quickly, enabling rapid switching during an attack. | Does not protect against attacks that directly target the origin IP address. |
| Direct IP pointing | Configure forwarding rules in the Anti-DDoS instance so the instance IP becomes the service entry point, with traffic forwarded to your origin server IP. Clients access the Anti-DDoS instance IP directly. | Non-website services accessed by IP address: games and app backend services. | Directly protects the IP address and hides the origin server. | Switching IP addresses may disrupt some client connections. |
Key capabilities
Quick deployment — Supports DNS resolution and direct IP pointing. Requires no hardware or software installation, or adjustment of routing configurations. Setup typically completes in minutes, depending on factors such as DNS propagation time, and keeps your origin IP hidden.
AI-driven protection — At the network layer, the service uses an IP reputation library and deep packet inspection (DPI) to block volumetric attacks. At the application layer, an AI engine learns your traffic patterns to identify and filter CC attacks, with URL-level protection policies to reduce operational overhead.
Massive mitigation capacity — The global protection network provides over 20 Tbps of total bandwidth, including more than 5 Tbps outside the Chinese mainland, covering attacks at the network, transport, and application layers.
Burstable protection — Upgrade protection bandwidth online at any time. Changes take effect in seconds, letting you scale defenses during burst attacks without service interruptions.
99.95% availability — A fully redundant architecture with monitoring across data centers, servers, engines, and links, backed by automatic failover and recovery.
Intelligent traffic rerouting — Integrates with other Alibaba Cloud products to automatically redirect traffic to Anti-DDoS Proxy when an attack is detected, without intervening during normal operation.
Product editions
Anti-DDoS Proxy is available in two editions based on where your servers are deployed: Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland).
| Edition | Instance type | Key features | Notes |
|---|---|---|---|
| Anti-DDoS Proxy (Chinese Mainland) | Profession | Exclusive IP address, multi-line Border Gateway Protocol (BGP) protection, and support for basic and burstable protection. | — |
| Advanced | Includes two advanced mitigation sessions per month (resets monthly). | Contact your account manager to activate. | |
| Anti-DDoS Proxy (Outside Chinese Mainland) | Insurance and Unlimited | Both plans are for services deployed exclusively outside the Chinese mainland. They differ in billing method, capacity, and advanced mitigation sessions: Insurance provides two per month; Unlimited has no limit. To reduce latency for users in the Chinese mainland accessing sites outside, combine these plans with a Secure Acceleration (Sec-CMA) line. For details, see Configure Sec-CMA for Anti-DDoS Proxy (outside the Chinese mainland). | — |
| Sec-CMA 2.0 | Provides access acceleration for users in the Chinese mainland and application-layer DDoS protection. After selecting a specific number of DDoS mitigation sessions, the instance can also defend against large-volume attacks from China Telecom, China Unicom, and China Mobile lines. | — | |
| Sec-CMA 2.0 (Insurance) and Sec-CMA 2.0 (Unlimited) | Mostly the same as Sec-CMA 2.0, with the option to disable the Metering Method of 95th Percentile Burstable Clean Bandwidth and 95th Percentile Burstable QPS modes. | Features have been migrated to Sec-CMA 2.0. Not recommended for new instances. For existing instances only. | |
| Chinese Mainland Acceleration and Sec-CMA 1.0 | Legacy versions that do not support China Mobile lines. | Not recommended for new instances. Upgrade to Sec-CMA 2.0 — contact your account manager. |
Choose an edition
Select an edition based on where your servers are deployed and where your users are located.
| Server location | User source | Requirements | Recommended edition |
|---|---|---|---|
| Chinese mainland | Chinese mainland and outside | General DDoS protection. | Anti-DDoS Proxy (Chinese Mainland) — Profession |
| Outside Chinese mainland | Outside Chinese mainland | No cross-border acceleration needed. | Anti-DDoS Proxy (Outside Chinese Mainland) — Insurance or Unlimited |
| Outside Chinese mainland | Chinese mainland | Cross-border acceleration required for low latency. | Anti-DDoS Proxy (Outside Chinese Mainland) — Sec-CMA 2.0 |
| Outside Chinese mainland | Chinese mainland and outside | Cross-border acceleration needed without migrating servers. | Combined purchase: Sec-CMA 2.0 + Insurance or Unlimited |
| Outside Chinese mainland | Chinese mainland and outside | Servers can be migrated to different locations based on user source. After migration, users in each region are served by servers and protection editions in their respective region. | Chinese mainland users: Profession. Outside Chinese mainland users: Insurance or Unlimited. |
Billing
Anti-DDoS Proxy fees consist of a subscription instance fee and pay-as-you-go burstable fees.
Instance fee (subscription) — Billed monthly or yearly based on the specifications you select: basic protection bandwidth, clean bandwidth, and queries per second (QPS). For details, see Billing of Insurance and Unlimited mitigation plans, Billing of CMA, and Billing of Sec-CMA.
Burstable protection fee (pay-as-you-go) — Charged only when DDoS attack traffic exceeds your basic protection bandwidth, calculated daily based on peak attack traffic. For details, see Metering method of burstable protection bandwidth.
Burstable clean bandwidth/QPS fee (pay-as-you-go) — Charged only when normal service traffic or QPS exceeds your basic specifications, calculated based on the daily or monthly 95th percentile bandwidth. For details, see Billing of burstable clean bandwidth and Billing of burstable QPS.
Global advanced mitigation session — An optional add-on purchasable for specific instances. For details, see Billing of advanced mitigation sessions.
Anti-DDoS Network Latency
Anti-DDoS Proxy (the Chinese mainland): 73 ms to 113 ms for users in the Chinese mainland, and about 313 ms for users outside the Chinese mainland.
Anti-DDoS Proxy (outside the Chinese mainland):
Insurance and Unlimited mitigation plans: 60 ms to 100 ms for users outside the Chinese mainland, and about 300 ms for users in the Chinese mainland.
CMA and Sec-CMA lines: Network latency is less than 50 ms.